<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="utf-8">
    <meta content="IE=edge" http-equiv="X-UA-Compatible">
    <meta content="width=device-width, initial-scale=1" name="viewport">
    <title>Homebrew bug allowed researcher full access to GitHub repos | The Daily Swig</title>

    
<script nonce="MkuAIN0arq140pNZ2TCf8Ai35HuXsbvR">
    const dimensionName = "dimension2";
    const userRef = "";
</script>

    <meta content="Vulnerability in volunteer-run open source project left API token fully exposed" name="description">
    
<!-- Twitter data -->
    <meta name="twitter:card" content="summary_large_image">
    <meta name="twitter:site" content="@DailySwig">
<meta name="twitter:title" content="Homebrew bug allowed researcher full access to GitHub repos">
    <meta name="twitter:description" content="Vulnerability in volunteer-run open source project left API token fully exposed">
    <meta name="twitter:creator" content="@EmmaWoollacott">
<meta name="twitter:image" content="https://portswigger.net/cms/images/52/cd/8f443b2f5c0f-twittercard-main.jpg">

<!-- Open Graph data -->
<meta property="og:title" content="Homebrew bug allowed researcher full access to GitHub repos" />
    <meta property="og:description" content="Vulnerability in volunteer-run open source project left API token fully exposed">
<meta property="og:type" content="article" />
<meta property="og:url" content="https://portswigger.net/daily-swig/homebrew-bug-allowed-researcher-full-access-to-github-repos" />
<meta property="og:image" content="https://portswigger.net/cms/images/52/cd/8f443b2f5c0f-twittercard-main.jpg" />
    <meta property="og:site_name" content="The Daily Swig | Cybersecurity news and views" />
    <meta property="article:published_time" content="2018-08-08T15:30:00" />

    <link href="https://portswigger.net/daily-swig/homebrew-bug-allowed-researcher-full-access-to-github-repos" rel="canonical"/>

        <link href="https://portswigger.net/daily-swig/amp/homebrew-bug-allowed-researcher-full-access-to-github-repos" rel="amphtml"/>

    <link href="/content/images/logos/favicon.ico" rel="icon" type="image/x-icon"/>
    <link href="/content/images/logos/apple-touch-icon.png" rel="apple-touch-icon">
    <link href="/content/psdailyswig.css?v=jSgDMpQsotICfDI0OFAGpL7Z6Ck" rel="stylesheet" type="text/css">
    <link rel="preload" href="/Content/Fonts/ps-icons-small/ps-icons-small.woff?td2uot" as="font" crossorigin="anonymous">
<link rel="preload" href="/Content/Fonts/ps-main/ps-icons.woff?l1la2n" as="font" crossorigin="anonymous">
</head>
<body class="theme-dailyswig">
    

<section class="banner-container dailyswig" id="top">
    <div class="container">
        <div class="linkscontainer-left" id="portswigger-logo-container">
            <a class="is-icon light-blue-hover" href="/" >
                <svg xmlns="http://www.w3.org/2000/svg" width="18" height="18">
    <path d="M0 0h18v18H0z" fill="#f63"/>
    <path d="M10 18H8v-2.8l2.7-3.3H8V8H3.3l4.8-5.8V0H10v2.9L7.3 6H10V10h4.7L10 15.8z" fill="#fff"/>
</svg>
            </a>
        </div>
        <div class="linkscontainer" id="icons-container">
            <a class="aboutlink" href="/daily-swig/about" ></a>
            <a class="is-icon light-blue-hover" href="https://twitter.com/DailySwig" >
                <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 19.998">
    <path d="M22.245,2.835a3.066,3.066,0,0,1-.923.118v-.1A7.616,7.616,0,0,0,23.169.663c.074-.254,0-.336,0-.345L21.608,1l-1.293.609h0A5.128,5.128,0,0,0,16.52,0a4.69,4.69,0,0,0-4.913,4.416A7.015,7.015,0,0,0,11.8,6.078c0,.127,0-.127,0,0A14.883,14.883,0,0,1,5.818,4.261C1.847,2.208,1.625.79,1.625.79,1.007,1.462.7,3.7,1.321,5.451A5.728,5.728,0,0,0,3.1,7.578h0A4.094,4.094,0,0,1,1.847,7.36a2.715,2.715,0,0,1-.923-.445c-.379.963.388,2.726,1.727,3.916A7.026,7.026,0,0,0,4.839,12l-2.216.064c-.12,2.217,4.525,3.526,4.525,3.526h0A7.457,7.457,0,0,1,2.53,17.327,8.651,8.651,0,0,1,0,16.946,11.857,11.857,0,0,0,8.237,19.99c8.311-.445,12.974-7.769,13.2-14.956h0a5.9,5.9,0,0,0,1.219-1.054A8.831,8.831,0,0,0,24,2.162,13.006,13.006,0,0,1,22.245,2.835Z"
          transform="translate(0 0.005)" fill="#324d5c"/>
</svg>
            </a>
            <a class="is-icon light-blue-hover" href="https://www.facebook.com/DailySwig/" >
                <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 20 20">
    <path d="M19.091,0H.909A.909.909,0,0,0,0,.909V19.091A.909.909,0,0,0,.909,20h9.764V12.291H8.091V9.227h2.582V6.836a4.064,4.064,0,0,1,4.055-4.064h2.191v3.2H14.727a.855.855,0,0,0-.855.864V9.227h3.045l-.473,3.064H13.873V20h5.218A.909.909,0,0,0,20,19.091V.909A.909.909,0,0,0,19.091,0Z"
          fill="#324d5c"/>
</svg>
            </a>
            <a class="is-icon light-blue-hover" href="https://www.linkedin.com/company/the-daily-swig" >
                <svg xmlns="http://www.w3.org/2000/svg" width="20" height="24" viewBox="0 0 24 24">
    <path fill="#324d5c" d="M0 0v24h24v-24h-24zm8 19h-3v-11h3v11zm-1.5-12.268c-.966 0-1.75-.79-1.75-1.764s.784-1.764 1.75-1.764 1.75.79 1.75 1.764-.783 1.764-1.75 1.764zm13.5 12.268h-3v-5.604c0-3.368-4-3.113-4 0v5.604h-3v-11h3v1.765c1.397-2.586 7-2.777 7 2.476v6.759z"/>
</svg>
            </a>
            <a class="is-icon light-blue-hover" href="mailto:dailyswig@portswigger.net" >
                <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 29 20">
    <path d="M14.312,11.14,1.41,0H27.866L14.973,11.14A.506.506,0,0,1,14.312,11.14Z" transform="translate(-0.129)"
          fill="#324d5c"/>
    <path d="M2.39,16.786,0,18.84V1.43l10.1,8.7Z" transform="translate(0 -0.131)" fill="#324d5c"/>
    <path d="M24.487,18.123l3.452,2.989H1.42l3.869-3.344,6.342-5.452,1.658,1.436,1.06.909a.506.506,0,0,0,.661,0l1.06-.909,1.694-1.463Z"
          transform="translate(-0.13 -1.113)" fill="#324d5c"/>
    <path d="M30.99,1.45v17.3l-1.863-1.609L20.95,10.105Z" transform="translate(-1.99 -0.132)" fill="#324d5c"/>
</svg>
            </a>
            <a class="is-icon light-blue-hover" href="/daily-swig/rss" >
                <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 20 20">
    <path d="M16.173,20H20A20,20,0,0,0,14.136,5.864,20,20,0,0,0,0,0V3.818A16.209,16.209,0,0,1,16.173,20Z"
          transform="translate(0)" fill="#324d5c" fill-rule="evenodd"/>
    <path d="M0,11.3a9.3,9.3,0,0,1,6.615,2.726,9.368,9.368,0,0,1,2.726,6.624h3.834A13.193,13.193,0,0,0,9.3,11.324,13.157,13.157,0,0,0,0,7.48Z"
          transform="translate(0 -0.673)" fill="#324d5c" fill-rule="evenodd"/>
    <path d="M.781,20.669A2.622,2.622,0,1,0,0,18.8a2.626,2.626,0,0,0,.781,1.872Z" transform="translate(0 -1.468)"
          fill="#324d5c" fill-rule="evenodd"/>
</svg>
            </a>
        </div>
        <div class="titlecontainer">
            <a class="banner-main" href="/daily-swig" >
                <img alt="The Daily Swig" src="/content/images/banners/the-daily-swig-logo.svg"/>
            </a>
        </div>
    </div>
</section>

  <div class="mega-nav-dailyswig-wrapper">
    <input type="checkbox" id="daily-swig-hamburger-mobile" class="hamburger-input-mobile">
    <div class="hamburger-menu-mobile">
          <label class="hamburger-menu-label header-hidden" for="daily-swig-hamburger-mobile">
            <span class="hamburger-layers"></span>
          </label>
        </div>
        <div class="mega-nav">
          <input type="radio" id="daily-swig-mega-nav-close" class="mega-nav-input-close" name="daily-swig-mega-nav-input">
          <input type="radio" id="daily-swig-mega-nav-label-1" class="mega-nav-input-1" name="daily-swig-mega-nav-input">
          <input type="radio" id="daily-swig-mega-nav-label-2" class="mega-nav-input-2" name="daily-swig-mega-nav-input">
          <input type="radio" id="daily-swig-mega-nav-label-3" class="mega-nav-input-3" name="daily-swig-mega-nav-input">
          <input type="radio" id="daily-swig-mega-nav-label-4" class="mega-nav-input-4" name="daily-swig-mega-nav-input">
          <input type="radio" id="daily-swig-mega-nav-label-5" class="mega-nav-input-5" name="daily-swig-mega-nav-input">
          <input type="radio" id="daily-swig-mega-nav-label-6" class="mega-nav-input-6" name="daily-swig-mega-nav-input">
          <input type="radio" id="daily-swig-mega-nav-label-7" class="mega-nav-input-7" name="daily-swig-mega-nav-input">
    
          <label for="daily-swig-mega-nav-close" class="mega-nav-close"></label>
    
          <label class="mega-nav-label mega-nav-label-1" for="daily-swig-mega-nav-label-1">
            <span class="mega-nav-text">Regions</span>
            <svg class="icon-arrow-head-down" xmlns="http://www.w3.org/2000/svg" width="16" height="9.43" viewBox="0 0 16 9.43">
              <path d="M8,9.84,1.43,3.27,0,4.7l8,8,8-8L14.57,3.27Z" transform="translate(0 -3.27)"></path>
            </svg>
          </label>
          <label class="mega-nav-label mega-nav-label-2" for="daily-swig-mega-nav-label-2">
            <span class="mega-nav-text">Hacking News</span>
            <svg class="icon-arrow-head-down" xmlns="http://www.w3.org/2000/svg" width="16" height="9.43" viewBox="0 0 16 9.43">
              <path d="M8,9.84,1.43,3.27,0,4.7l8,8,8-8L14.57,3.27Z" transform="translate(0 -3.27)"></path>
            </svg>
          </label>
          <label class="mega-nav-label mega-nav-label-3" for="daily-swig-mega-nav-label-3">
            <span class="mega-nav-text">Data Breaches</span>
            <svg class="icon-arrow-head-down" xmlns="http://www.w3.org/2000/svg" width="16" height="9.43" viewBox="0 0 16 9.43">
              <path d="M8,9.84,1.43,3.27,0,4.7l8,8,8-8L14.57,3.27Z" transform="translate(0 -3.27)"></path>
            </svg>
          </label>
          <label class="mega-nav-label mega-nav-label-4" for="daily-swig-mega-nav-label-4">
            <span class="mega-nav-text">Cyber-attacks</span>
            <svg class="icon-arrow-head-down" xmlns="http://www.w3.org/2000/svg" width="16" height="9.43" viewBox="0 0 16 9.43">
              <path d="M8,9.84,1.43,3.27,0,4.7l8,8,8-8L14.57,3.27Z" transform="translate(0 -3.27)"></path>
            </svg>
          </label>
          <label class="mega-nav-label mega-nav-label-5" for="daily-swig-mega-nav-label-5">
            <span class="mega-nav-text">Vulnerabilities</span>
            <svg class="icon-arrow-head-down" xmlns="http://www.w3.org/2000/svg" width="16" height="9.43" viewBox="0 0 16 9.43">
              <path d="M8,9.84,1.43,3.27,0,4.7l8,8,8-8L14.57,3.27Z" transform="translate(0 -3.27)"></path>
            </svg>
          </label>
          <label class="mega-nav-label mega-nav-label-6" for="daily-swig-mega-nav-label-6">
            <span class="mega-nav-text">Bug Bounties</span>
            <svg class="icon-arrow-head-down" xmlns="http://www.w3.org/2000/svg" width="16" height="9.43" viewBox="0 0 16 9.43">
              <path d="M8,9.84,1.43,3.27,0,4.7l8,8,8-8L14.57,3.27Z" transform="translate(0 -3.27)"></path>
            </svg>
          </label>
          <label class="mega-nav-label mega-nav-label-7" for="daily-swig-mega-nav-label-7">
            <span class="mega-nav-text">More</span>
            <svg class="icon-arrow-head-down" xmlns="http://www.w3.org/2000/svg" width="16" height="9.43" viewBox="0 0 16 9.43">
              <path d="M8,9.84,1.43,3.27,0,4.7l8,8,8-8L14.57,3.27Z" transform="translate(0 -3.27)"></path>
            </svg>
          </label>
          <a class="mega-nav-link header-hidden" href="https://portswigger.net/daily-swig/about"><span class="mega-nav-text">About</span></a>
   
          <div class="mega-nav-container">
    
            <div class="mega-nav-content mega-nav-content-1">
              <div class="section-white-medium-no-padding">
                <div class="container-columns-66-percent-right">
                  <div>
                    <div class="container-columns">
                      <a href="https://portswigger.net/daily-swig/africa" class="no-border">Africa</a>
                      <a href="https://portswigger.net/daily-swig/asia" class="no-border">Asia</a>
                      <a href="https://portswigger.net/daily-swig/europe" class="no-border">Europe</a>
                      <a href="https://portswigger.net/daily-swig/middle-east" class="no-border">Middle East</a>
                      <a href="https://portswigger.net/daily-swig/latin-america" class="no-border">Latin America</a>
                      <a href="https://portswigger.net/daily-swig/north-america" class="no-border">North America</a>
                      <a href="https://portswigger.net/daily-swig/oceania" class="no-border">Oceania</a>
    
                    </div>
                    <a href="https://portswigger.net/daily-swig/us" class="chevron-after">View all US news</a>
                  </div>
    
                  <div>
                    <div class="container-cards-lists-white">
                      <a href="https://portswigger.net/daily-swig/iranian-cyber-threat-groups-make-up-for-lack-of-technical-sophistication-with-social-engineering-trickery">
                        <p><strong>APT focus</strong></p>
                        <p>Take a closer look at Iran’s state-sponsored hacking groups</p>
                        <img src="/daily-swig-mega-nav/images/regions.jpg" alt="Regions">
                      </a>
                    </div>
    
                  </div>
    
    
                </div>
              </div>
            </div>
            <div class="mega-nav-content mega-nav-content-2">
              <div class="section-white-medium-no-padding">
                <div class="container-columns-66-percent-right">
                  <div>
                    <div class="container-small">
                      <a href="https://portswigger.net/daily-swig/hacking-news" class="no-border">Latest Hacking News</a>
    
                      <a href="https://portswigger.net/daily-swig/hacking-news" class="no-border">Hacking Tools</a>
    
                      <a href="https://portswigger.net/daily-swig/hacking-techniques" class="no-border">Hacking Techniques</a>
    
                      <a href="https://portswigger.net/daily-swig/pen-testing" class="no-border">Pen Testing</a>
    
                      <a href="https://portswigger.net/daily-swig/cloud-security" class="no-border">Cloud Security</a>
    
                      <a href="https://portswigger.net/daily-swig/database-security" class="no-border">Database Security</a>
    
                      <a href="https://portswigger.net/daily-swig/email-security" class="no-border">Email Security</a>
    
                      <a href="https://portswigger.net/daily-swig/network-security" class="no-border">Network Security</a>
    
                    </div>
                    <a href="https://portswigger.net/daily-swig/hacking-news" class="chevron-after">View all hacking news</a>
                  </div>
    
                  <div>
                    <div class="container-cards-lists-white">
                      <a href="https://portswigger.net/daily-swig/human-error-bugs-increasingly-making-a-splash-in-hacker-powered-pen-tests-nbsp-report">
                        <p><strong>Hacker-powered security</strong></p>
                        <p>Human error bugs increasingly making a splash, study indicates</p>
                        <img src="/daily-swig-mega-nav/images/hacking.png" alt="Hacking news">
                      </a>
                    </div>
    
                  </div>
    
    
                </div>
              </div>
            </div>
            <div class="mega-nav-content mega-nav-content-3">
              <div class="section-white-medium-no-padding">
                <div class="container-columns-66-percent-right">
                  <div>
                    <div class="container-columns">
                      <a href="https://portswigger.net/daily-swig/data-breach" class="no-border">Latest Data Breaches</a>
                      <a href="https://portswigger.net/daily-swig/data-leak" class="no-border">Data Leak</a>
                      <a href="https://portswigger.net/daily-swig/organizations" class="no-border">Organizations</a>
                      <a href="https://portswigger.net/daily-swig/enterprise" class="no-border">Enterprise Security</a>
                    </div>
                    <a href="https://portswigger.net/daily-swig/data-breach" class="chevron-after">View all data breach news</a>
                  </div>
    
                  <div>
                    <div class="container-cards-lists-white">
                      <a href="https://portswigger.net/daily-swig/software-supply-chain-attacks-everything-you-need-to-know">
                        <p><strong>In focus</strong></p>
                        <p>Software supply chain attacks – everything you need to know</p>
                        <img src="/daily-swig-mega-nav/images/breaches.png" alt="Data Breaches">
                      </a>
                    </div>
    
                  </div>
    
    
                </div>
              </div>
            </div>
            <div class="mega-nav-content mega-nav-content-4">
              <div class="section-white-medium-no-padding">
                <div class="container-columns-66-percent-right">
                  <div>
                    <div class="container-small">
                      <a href="https://portswigger.net/daily-swig/cyber-attacks" class="no-border">Latest Cyber-attacks</a>
    
                      <a href="https://portswigger.net/daily-swig/cybercrime" class="no-border">Cybercrime</a>
    
                      <a href="https://portswigger.net/daily-swig/cyber-warfare" class="no-border">Cyber Warfare</a>
    
                      <a href="https://portswigger.net/daily-swig/ddos" class="no-border">DDoS Attacks</a>
    
                      <a href="https://portswigger.net/daily-swig/supply-chain-attacks" class="no-border">Supply Chain Attacks</a>
    
                    </div>
                    <a href="https://portswigger.net/daily-swig/cyber-attacks" class="chevron-after">View all cyber-attack news</a>
                  </div>
    
                  <div>
                    <div class="container-cards-lists-white">
                      <a href="https://portswigger.net/daily-swig/beyond-lazarus-north-korean-cyber-threat-groups-become-top-tier-reckless-adversaries">
                        <p><strong>Special report</strong></p>
                        <p>North Korean cyber-threat groups become top-tier adversaries</p>
                        <img src="/daily-swig-mega-nav/images/cyberattacks.jpg" alt="Cyber Attacks">
                      </a>
                    </div>
    
                  </div>
    
    
                </div>
              </div>
            </div>
            <div class="mega-nav-content mega-nav-content-5">
              <div class="section-white-medium-no-padding">
                <div class="container-columns-66-percent-right">
                  <div>
                    <div class="container-small">
                      <a href="https://portswigger.net/daily-swig/vulnerabilities" class="no-border">Latest Vulnerabilities</a>
    
                      <a href="https://portswigger.net/daily-swig/zero-day" class="no-border">Zero-Day News</a>
    
                      <a href="https://portswigger.net/daily-swig/rce" class="no-border">RCE</a>
    
                      <a href="https://portswigger.net/daily-swig/xss" class="no-border">XSS</a>
    
                      <a href="https://portswigger.net/daily-swig/sql-injection" class="no-border">SQL Injection</a>
    
                      <a href="https://portswigger.net/daily-swig/ssrf" class="no-border">SSRF</a>
    
                      <a href="https://portswigger.net/daily-swig/csrf" class="no-border">CSRF</a>
    
                      <a href="https://portswigger.net/daily-swig/xs-leak" class="no-border">XS Leaks</a>
    
                    </div>
                    <a href="https://portswigger.net/daily-swig/vulnerabilities" class="chevron-after">View all security vulnerability news</a>
                  </div>
    
                  <div>
                    <div class="container-cards-lists-white">
                      <a href="https://portswigger.net/daily-swig/how-expired-web-domains-help-criminal-hackers-unlock-enterprise-defenses">
                        <p><strong>What’s in a (domain) name?</strong></p>
                        <p>How expired web domains are helping criminal hacking campaigns</p>
                        <img src="/daily-swig-mega-nav/images/vulnerabilities.png" alt="Vulnerabilities">
                      </a>
                    </div>
    
                  </div>
    
    
                </div>
              </div>
            </div>
            <div class="mega-nav-content mega-nav-content-6">
              <div class="section-white-medium-no-padding">
                <div class="container-columns-66-percent-right">
                  <div>
                    <div class="container-columns">
                      <a href="https://portswigger.net/daily-swig/bug-bounty" class="no-border">Bug Bounty News</a>
    
                      <a href="https://portswigger.net/daily-swig/vdp" class="no-border">VDP News</a>
    
                      <a href="https://portswigger.net/daily-swig/research" class="no-border">Research</a>
    
                      <a href="https://portswigger.net/daily-swig/osint" class="no-border">OSINT</a>
    
                    </div>
                    <a href="https://portswigger.net/daily-swig/bug-bounty" class="chevron-after">View all bug bounty news</a>
                  </div>
    
                  <div>
                    <div class="container-cards-lists-white">
                      <a href="https://portswigger.net/daily-swig/bug-bounty-radar-the-latest-bug-bounty-programs-for-december-2021">
                        <p><strong>Bug Bounty Radar</strong></p>
                        <p>The latest programs for December 2021</p>
                        <img src="/daily-swig-mega-nav/images/bug-bounties.png" alt="Bug bounties">
                      </a>
                    </div>
    
                  </div>
    
    
                </div>
              </div>
            </div>
            <div class="mega-nav-content mega-nav-content-7">
              <div class="section-white-medium-no-padding">
                <div class="container-columns-66-percent-right">
                  <div>
                    <div class="container-small">
                      <a href="https://portswigger.net/daily-swig/interviews" class="no-border">Interviews</a>
                      <a href="https://portswigger.net/daily-swig/analysis" class="no-border">Analysis</a>
                      <a href="https://portswigger.net/daily-swig/research" class="no-border">Research</a>
                      <a href="https://portswigger.net/daily-swig/deep-dives" class="no-border">Deep Dives</a>
                      <a href="https://portswigger.net/daily-swig/browsers" class="no-border">Browsers</a>
                      <a href="https://portswigger.net/daily-swig/ransomware" class="no-border">Ransomware</a>
                      <a href="https://portswigger.net/daily-swig/phishing" class="no-border">Phishing</a>
                      <a href="https://portswigger.net/daily-swig/malware" class="no-border">Malware</a>
                      <a href="https://portswigger.net/daily-swig/encryption" class="no-border">Encryption</a>
                      <a href="https://portswigger.net/daily-swig/privacy" class="no-border">Privacy</a>
                      <a href="https://portswigger.net/daily-swig/mobile" class="no-border">Mobile</a>
                      <a href="https://portswigger.net/daily-swig/iot" class="no-border">IoT</a>
                      <a href="https://portswigger.net/daily-swig/policy-and-legislation" class="no-border">Policy and Legislation</a>
                      <a href="https://portswigger.net/daily-swig/machine-learning" class="no-border">Machine learning</a>
                      <a href="https://portswigger.net/daily-swig/dns" class="no-border">DNS</a>
                      <a href="https://portswigger.net/daily-swig/open-source-software" class="no-border">Open Source</a>
                      <a href="https://portswigger.net/daily-swig/hardware" class="no-border">Hardware</a>
                      <a href="https://portswigger.net/daily-swig/authentication" class="no-border">Authentication</a>
                      <a href="https://portswigger.net/daily-swig/events" class="no-border">Events</a>
    
                    </div>
                    <a href="https://portswigger.net/daily-swig/industry-news" class="chevron-after">View all infosec industry news</a>
                  </div>
    
                  <div>
                    <div class="container-cards-lists-white">
                      <a href="https://portswigger.net/daily-swig/cybersecurity-conferences-2021-a-schedule-of-virtual-and-potentially-in-person-or-hybrid-events">
                        <p><strong>Cybersecurity conferences</strong></p>
                        <p>A schedule of events in 2021 and beyond</p>
                        <img src="/daily-swig-mega-nav/images/more-topics.jpg" alt="More topics">
                      </a>
                    </div>
    
                  </div>
    
    
                </div>
              </div>
            </div>
   
          </div>
    
        </div>
   </div>
  
    


<input id="MediaId" name="MediaId" type="hidden" value="016F9C06480FADD4C6CCCDF8E0B73FC4" />


<section class="maincontainer dailyswig">
    <div class="container is-flex margin-bottom-m">
        <div class="maincol">
            <div class="post-card">
                
<h1>Homebrew bug allowed researcher full access to GitHub repos</h1>
                
                <div class="post-additionalinfo">
                    
<a href="/daily-swig/by/emma-woollacott">
    Emma Woollacott</a>

08 August 2018 at 15:30 UTC

    <br>
    Updated: 09 October 2019 at 09:36 UTC

                </div>
                <div class="post-labels">
                    
            <a href="/daily-swig/open-source-software">
                <span>Open Source Software</span></a>
            <a href="/daily-swig/github">
                <span>GitHub</span></a>
            <a href="/daily-swig/vulnerabilities">
                <span>Vulnerabilities</span></a>

                </div>
                

<div class="sharebuttoncontainer is-smallicons">
    <a href="https://twitter.com/share?url=https%3a%2f%2fportswigger.net%2fdaily-swig%2fhomebrew-bug-allowed-researcher-full-access-to-github-repos&text=Homebrew+bug+allowed+researcher+full+access+to+GitHub+repos+%7c+The+Daily+Swig%0A" target="_blank" init-ga-click data-ga-click-label="twitter">
        <span class="share-twitter ">
            <span class="share-icon icon-ps-twitter"></span>
            <span class="share-text">Twitter</span>
        </span>
    </a>
    <a href="https://api.whatsapp.com/send?text=https%3a%2f%2fportswigger.net%2fdaily-swig%2fhomebrew-bug-allowed-researcher-full-access-to-github-repos" target="_blank" init-ga-click data-ga-click-label="whatsapp">
        <span class="share-whatsapp ">
            <span class="share-icon icon-ps-whatsapp"></span>
            <span class="share-text">WhatsApp</span>
        </span>
    </a>
    <a href="https://www.facebook.com/sharer.php?u=https%3a%2f%2fportswigger.net%2fdaily-swig%2fhomebrew-bug-allowed-researcher-full-access-to-github-repos" target="_blank" init-ga-click data-ga-click-label="facebook">
        <span class="share-facebook ">
            <span class="share-icon icon-ps-facebook"></span>
            <span class="share-text">Facebook</span>
        </span>
    </a>
    <a href="https://reddit.com/submit?url=https%3a%2f%2fportswigger.net%2fdaily-swig%2fhomebrew-bug-allowed-researcher-full-access-to-github-repos" target="_blank" init-ga-click data-ga-click-label="reddit">
        <span class="share-reddit ">
            <span class="share-icon icon-ps-reddit"></span>
            <span class="share-text">Reddit</span>
        </span>
    </a>
    <a href="https://www.linkedin.com/shareArticle?url=https%3a%2f%2fportswigger.net%2fdaily-swig%2fhomebrew-bug-allowed-researcher-full-access-to-github-repos" target="_blank" init-ga-click data-ga-click-label="linkedin">
        <span class="share-linkedin ">
            <span class="share-icon icon-ps-linkedin"></span>
            <span class="share-text">LinkedIn</span>
        </span>
    </a>
    <a href="mailto:?subject=Homebrew+bug+allowed+researcher+full+access+to+GitHub+repos+%7c+The+Daily+Swig&body=Homebrew+bug+allowed+researcher+full+access+to+GitHub+repos+%7c+The+Daily+Swig%0A%0AVulnerability+in+volunteer-run+open+source+project+left+API+token+fully+exposed%0A%0Ahttps://portswigger.net/daily-swig/homebrew-bug-allowed-researcher-full-access-to-github-repos" init-ga-click data-ga-click-label="email">
        <span class="share-email ">
            <span class="share-icon icon-ps-email"></span>
            <span class="share-text">Email</span>
        </span>
    </a>
</div>
                <div class="post-content">
                    <!-- Article Start -->
                    <p class="standfirst">Vulnerability in volunteer-run open source project left API token fully exposed</p><p class="text-center"><img src="/cms/images/52/cd/8f443b2f5c0f-article-main.jpg" title="Dim Tik / Shutterstock"></p><p>Open source software package management system Homebrew has patched a vulnerability that enabled a security researcher to gain access to GitHub repositories in under half an hour.</p><p>Homebrew, which is run by a team of 12 volunteers, was alerted to the breach by white hat hacker Eric Holmes after he was able to exploit the vulnerability in no time at all.</p><p>Citing recent breaches at NPM, RubyGems, and Gentoo, Holmes – an operations engineer at Remind – said he came across the bug when researching concerns about the potential for package management systems to be used as attack vectors for distributing malicious software.</p><p>“I found that Homebrew runs a Jenkins instance that’s (intentionally) publicly exposed at https://jenkins.brew.sh,” he wrote <a href="https://medium.com/@vesirin/how-i-gained-commit-access-to-homebrew-in-30-minutes-2ae314df03ab" target="_blank" rel="nofollow">in his blog</a>.</p><p>“After some digging, I noticed something interesting; builds in the ‘Homebrew Bottles’ project were making authenticated pushes to the BrewTestBot/homebrew-core repo. This got me thinking, ‘where are the credentials stored?’”</p><p>Following a link to ‘Environment Variables’, Holmes spotted an exposed GitHub API token which gave him access to three core Homebrew repositories: Homebrew/brew, Homebrew/homebrew-core, and Homebrew/formulae.brew.sh.</p><p>And because the Homebrew/homebrew-core repository did not have a protected master branch, this would have allowed him to make a fast-forward change to refs/heads/master, inserting malicious software that would have been included in any new installations or updates.</p><p>Holmes reported the vulnerability to the Homebrew team, who immediately revoked the credentials and updated the repositories so that non-administrators would no longer be able to push directly to refs/heads/master.</p><p class="bold">Security second?</p><p>However, as the team <a href="https://brew.sh/2018/08/05/security-incident-disclosure/" target="_blank" rel="nofollow">points out</a>, it's near impossible for an open-source project staffed by volunteers to cope with security issues in the same way as a major corporation – this particular problem was resolved by a staff member on paternity leave, while his child took a nap.</p><p>Holmes believes that other package managers are likely to be vulnerable too.</p><p>He described the way he was able to compromise Homebrew as ‘the scariest, and arguably the easiest method’, pointing out that compromising the infrastructure itself allows any checks and balances to be bypassed. However, other attack vectors may also be possible.</p><p>“One way is to compromise user accounts in the distribution system of the package manager. Package managers like RubyGems, NPM, PyPi, and Docker Hub all have webapps and are all likely targets for this, whether it's through phishing, or credential leaks from previous breaches,” he told <span class="italic">The Daily Swig</span>.</p><p>“In this scenario, the user account for a high-profile package might be compromised and allow an attacker to replace an existing version of the package with a backdoor. You can imagine a scenario where the RubyGems credentials for a Rails maintainer are leaked.”</p><p>Holmes said he would like to see authentication and authorisation taken more seriously, using strong forms of multi-factor authentication tools such as time-based one-time password algorithms, aka TOTP, and universal 2nd-factor authentication (U2F).</p><p>Package managers should at the very least support signed packages and content addressable identifiers that can be cryptographically validated to protect from tampering. He‘d also like to see more investment from major software players.</p><p>“If we don‘t address these things as an industry,” Holmes warned, “we‘re in for a world of hurt in the coming years.”</p>
                    <!-- Article End -->
                </div>
                <div class="post-labels">
                    
            <a href="/daily-swig/open-source-software">
                <span>Open Source Software</span></a>
            <a href="/daily-swig/github">
                <span>GitHub</span></a>
            <a href="/daily-swig/vulnerabilities">
                <span>Vulnerabilities</span></a>

                </div>
                <div class="post-authorinfo">

<img src="/cms/profiles/emma-woollacott.png" alt="Emma Woollacott"/>
<div class="post-authorinfo-text">
    <p class="post-authorinfo-name">
        <!-- Author Start -->
        <a href="/daily-swig/by/emma-woollacott">Emma Woollacott</a>
        <!-- Author} End -->
    </p>
        <p>
            <a href="https://twitter.com/EmmaWoollacott">@EmmaWoollacott <span class="icon cmsicon-twitter"></span></a>
        </p>
</div>

                </div>
                

<div class="sharebuttoncontainer is-aftercontent">
    <a href="https://twitter.com/share?url=https%3a%2f%2fportswigger.net%2fdaily-swig%2fhomebrew-bug-allowed-researcher-full-access-to-github-repos&text=Homebrew+bug+allowed+researcher+full+access+to+GitHub+repos+%7c+The+Daily+Swig%0A" target="_blank" init-ga-click data-ga-click-label="twitter">
        <span class="share-twitter is-wide">
            <span class="share-icon icon-ps-twitter"></span>
            <span class="share-text">Twitter</span>
        </span>
    </a>
    <a href="https://api.whatsapp.com/send?text=https%3a%2f%2fportswigger.net%2fdaily-swig%2fhomebrew-bug-allowed-researcher-full-access-to-github-repos" target="_blank" init-ga-click data-ga-click-label="whatsapp">
        <span class="share-whatsapp is-wide">
            <span class="share-icon icon-ps-whatsapp"></span>
            <span class="share-text">WhatsApp</span>
        </span>
    </a>
    <a href="https://www.facebook.com/sharer.php?u=https%3a%2f%2fportswigger.net%2fdaily-swig%2fhomebrew-bug-allowed-researcher-full-access-to-github-repos" target="_blank" init-ga-click data-ga-click-label="facebook">
        <span class="share-facebook is-wide">
            <span class="share-icon icon-ps-facebook"></span>
            <span class="share-text">Facebook</span>
        </span>
    </a>
    <a href="https://reddit.com/submit?url=https%3a%2f%2fportswigger.net%2fdaily-swig%2fhomebrew-bug-allowed-researcher-full-access-to-github-repos" target="_blank" init-ga-click data-ga-click-label="reddit">
        <span class="share-reddit is-wide">
            <span class="share-icon icon-ps-reddit"></span>
            <span class="share-text">Reddit</span>
        </span>
    </a>
    <a href="https://www.linkedin.com/shareArticle?url=https%3a%2f%2fportswigger.net%2fdaily-swig%2fhomebrew-bug-allowed-researcher-full-access-to-github-repos" target="_blank" init-ga-click data-ga-click-label="linkedin">
        <span class="share-linkedin is-wide">
            <span class="share-icon icon-ps-linkedin"></span>
            <span class="share-text">LinkedIn</span>
        </span>
    </a>
    <a href="mailto:?subject=Homebrew+bug+allowed+researcher+full+access+to+GitHub+repos+%7c+The+Daily+Swig&body=Homebrew+bug+allowed+researcher+full+access+to+GitHub+repos+%7c+The+Daily+Swig%0A%0AVulnerability+in+volunteer-run+open+source+project+left+API+token+fully+exposed%0A%0Ahttps://portswigger.net/daily-swig/homebrew-bug-allowed-researcher-full-access-to-github-repos" init-ga-click data-ga-click-label="email">
        <span class="share-email is-wide">
            <span class="share-icon icon-ps-email"></span>
            <span class="share-text">Email</span>
        </span>
    </a>
</div>
            </div>
        </div>

<div id="widgetcolumn" class="post-widgetcolumn rightcol">
    <noscript>
        <div class="noscript-warning">This page requires JavaScript for an enhanced user experience.</div>
    </noscript>
    <div class="widget-tile-container">
        <div class="widget-title">Latest Posts</div>
        <div class="widget-content">


<a href="/daily-swig/popular-wordpress-platform-flywheel-vulnerable-to-subdomain-takeover-researcher-claims" class="tile-container dailyswig onecolumn widget-tile size0 style1 textstyle6 is-whitebackground" data-backgroundimageurl=/cms/images/b8/d8/c289-tile-211223-wordpress-flywheel-1x1.jpg  data-backgroundcolorid="0">
    
<h3 class="tile-text1 notext2">
        <span class="tile-text-container">Popular WordPress platform Flywheel ‘vulnerable to subdomain takeover’</span>
</h3>
    
<span class="tile-date">23 December 2021</span>
    
<span class="tile-text1-alt">Popular WordPress platform Flywheel ‘vulnerable to subdomain takeover’</span>
        
        <span class="tile-text2-alt">Malicious actors could wreak havoc by impersonating legitimate websites</span>

</a>

<a href="/daily-swig/wireless-coexistence-new-attack-technique-exploits-bluetooth-wifi-performance-features-for-inter-chip-privilege-escalation" class="tile-container dailyswig onecolumn widget-tile size0 style1 textstyle4 is-whitebackground" data-backgroundimageurl=/cms/images/b8/33/8722-tile-211223-bluetooth-2x1.png data-backgroundoverlay data-backgroundcolorid="0">
    
<h3 class="tile-text1 ">
        <span class="tile-text-container">Wireless coexistence</span>
</h3>


    <span class="tile-text2">
            <span class="tile-text-container">New attack technique exploits Bluetooth, WiFi performance features for ‘inter-chip privilege escalation’</span>
    </span>
    
<span class="tile-date">23 December 2021</span>
    
<span class="tile-text1-alt">Wireless coexistence</span>
        
        <span class="tile-text2-alt">New attack technique exploits Bluetooth, WiFi performance features for &#x2018;inter-chip privilege escalation&#x2019;</span>

</a>

<a href="/daily-swig/us-clothing-supplier-pro-wrestling-tees-hit-by-data-breach" class="tile-container dailyswig onecolumn widget-tile size0 style0 textstyle7 is-whitebackground" data-backgroundimageurl=/cms/images/fc/ca/c14f-tile-red-log4j.png  data-backgroundcolorid="0">
    
<h3 class="tile-text1 notext2">
        <span class="tile-text-container">US clothing supplier Pro Wrestling Tees hit by data breach</span>
</h3>
    
<span class="tile-date">23 December 2021</span>
    
<span class="tile-text1-alt">US clothing supplier Pro Wrestling Tees hit by data breach</span>
        
        <span class="tile-text2-alt">Law enforcement alerted company to compromise of payment card info</span>

</a>        </div>
    </div>
</div>    </div>


            <div class="widget-tile">
                <div class="container">
                    <h3 class="text-center charcoal">Related stories</h3>
                    <noscript>
                        <div class="noscript-warning">This page requires JavaScript for an enhanced user experience.</div>
                    </noscript>
                    <div class="widget-tile-container has-1rows margin-top-m">


<a href="/daily-swig/popular-wordpress-platform-flywheel-vulnerable-to-subdomain-takeover-researcher-claims" class="tile-container  onecolumn widget-tile size0 style1 textstyle6 is-whitebackground" data-backgroundimageurl=/cms/images/b8/d8/c289-tile-211223-wordpress-flywheel-1x1.jpg  data-backgroundcolorid="0">
    
<h3 class="tile-text1 notext2">
        <span class="tile-text-container">Popular WordPress platform Flywheel ‘vulnerable to subdomain takeover’</span>
</h3>
    
<span class="tile-date">23 December 2021</span>
    
<span class="tile-text1-alt">Popular WordPress platform Flywheel ‘vulnerable to subdomain takeover’</span>
        
        <span class="tile-text2-alt">Malicious actors could wreak havoc by impersonating legitimate websites</span>

</a>

<a href="/daily-swig/wireless-coexistence-new-attack-technique-exploits-bluetooth-wifi-performance-features-for-inter-chip-privilege-escalation" class="tile-container  onecolumn widget-tile size0 style1 textstyle4 is-whitebackground" data-backgroundimageurl=/cms/images/b8/33/8722-tile-211223-bluetooth-2x1.png data-backgroundoverlay data-backgroundcolorid="0">
    
<h3 class="tile-text1 ">
        <span class="tile-text-container">Wireless coexistence</span>
</h3>


    <span class="tile-text2">
            <span class="tile-text-container">New attack technique exploits Bluetooth, WiFi performance features for ‘inter-chip privilege escalation’</span>
    </span>
    
<span class="tile-date">23 December 2021</span>
    
<span class="tile-text1-alt">Wireless coexistence</span>
        
        <span class="tile-text2-alt">New attack technique exploits Bluetooth, WiFi performance features for &#x2018;inter-chip privilege escalation&#x2019;</span>

</a>

<a href="/daily-swig/bug-bounty-platforms-handling-thousands-of-log4j-vulnerability-reports" class="tile-container  onecolumn widget-tile size0 style1 textstyle4 is-whitebackground" data-backgroundimageurl=/cms/images/2a/88/227d-tile-211222-log4j-bug-bounty-1x1.jpg  data-backgroundcolorid="0">
    
<h3 class="tile-text1 ">
        <span class="tile-text-container">Log4Shell bugfest</span>
</h3>


    <span class="tile-text2">
            <span class="tile-text-container">Bug bounty platforms handling thousands of Log4j reports</span>
    </span>
    
<span class="tile-date">22 December 2021</span>
    
<span class="tile-text1-alt">Log4Shell bugfest</span>
        
        <span class="tile-text2-alt">Bug bounty platforms handling thousands of Log4j reports</span>

</a>

<a href="/daily-swig/anti-cheating-browser-extension-fails-web-security-examination" class="tile-container  onecolumn widget-tile size0 style0 textstyle6 is-whitebackground" data-backgroundimageurl=/cms/images/5e/b4/8c9d-tile-red-fuscia.png  data-backgroundcolorid="9">
    
<h3 class="tile-text1 notext2">
        <span class="tile-text-container">Anti-cheating browser extension fails web security examination</span>
</h3>
    
<span class="tile-date">22 December 2021</span>
    
<span class="tile-text1-alt">Anti-cheating browser extension fails web security examination</span>
        
        <span class="tile-text2-alt">XSS flaw in Proctorio gets resolved</span>

</a>                    </div>
                </div>
            </div>

</section>


<script type="application/ld+json">
{
  "@context": "http://schema.org",
  "@type": "NewsArticle",
  "author": {
    "@type": "Person",
    "email": "dailyswig@portswigger.net",
    "name": "Emma Woollacott"
  },
  "dateModified": "2019-10-09",
  "datePublished": "2018-08-08",
  "headline": "Homebrew bug allowed researcher full access to GitHub repos",
  "mainEntityOfPage": {
    "@type": "WebPage",
    "@id": "https://portswigger.net/daily-swig/homebrew-bug-allowed-researcher-full-access-to-github-repos"
  },
  "image":{
    "@type": "ImageObject",
    "url": "https://portswigger.net/cms/images/52/cd/8f443b2f5c0f-twittercard-main.jpg"
  },
  "publisher": {
    "@type": "Organization",
    "logo": {
      "@type": "ImageObject",
      "url": "https://portswigger.net/content/images/logos/dailyswig-logo.jpg"
    },
    "name": "The Daily Swig",
    "url": "https://portswigger.net/daily-swig",
    "sameAs": [
      "https://twitter.com/dailyswig"
    ]
  },
  "url": "https://portswigger.net/daily-swig/homebrew-bug-allowed-researcher-full-access-to-github-repos"
}
</script>

    <script src="/bundles/cms/dailyswig/details.js?v=IDI_vy-Vbaa4WXm-XDgRhh_x__U" nonce="MkuAIN0arq140pNZ2TCf8Ai35HuXsbvR"></script>


    <section class="prefootercontainer dailyswig"></section>
    
    <footer class="wrapper">
        <div class="container">
            <div>
                <p>Burp Suite</p>
                <a href="/burp/vulnerability-scanner">Web vulnerability scanner</a>
                <a href="/burp">Burp Suite Editions</a>
                <a href="/burp/releases">Release Notes</a>
            </div>
            <div>
                <p>Vulnerabilities</p>
                <a href="/web-security/cross-site-scripting">Cross-site scripting (XSS)</a>
                <a href="/web-security/sql-injection">SQL injection</a>
                <a href="/web-security/csrf">Cross-site request forgery</a>
                <a href="/web-security/xxe">XML external entity injection</a>
                <a href="/web-security/file-path-traversal">Directory traversal</a>
                <a href="/web-security/ssrf">Server-side request forgery</a>
            </div>
            <div>
                <p>Customers</p>
                <a href="/organizations">Organizations</a>
                <a href="/testers">Testers</a>
                <a href="/developers">Developers</a>
            </div>
            <div>
                <p>Company</p>
                <a href="/about">About</a>
                <a href="/news">PortSwigger News</a>
                <a href="/careers">Careers</a>
                <a href="/about/contact">Contact</a>
                <a href="/legal">Legal</a>
                <a href="/privacy">Privacy Notice</a>
            </div>
            <div>
                <p>Insights</p>
                <a href="/web-security">Web Security Academy</a>
                <a href="/blog">Blog</a>
                <a href="/research">Research</a>
                <a href="/daily-swig">The Daily Swig</a>
            </div>
            <div>
                <a href="/"><img src="/content/images/logos/portswigger-logo.svg" alt="PortSwigger Logo" class="footer-logo"></a>
                <a class="button-outline-blue-small camelcase" href="https://twitter.com/Burp_Suite" rel="noreferrer"><span class="icon-twitter"></span>  Follow us</a>
                <p class="grey">&copy; 2021 PortSwigger Ltd.</p>
            </div>
        </div>
    </footer>
    <a href="#top" class="back-to-top"><svg xmlns="http://www.w3.org/2000/svg" width="26" height="26" viewBox="0 0 26 26"><polygon points="4.07 14.7 5.03 15.78 12.48 9.13 19.94 15.78 20.9 14.7 12.48 7.2 4.07 14.7" fill="#f63" /><path d="M13,0A13,13,0,1,0,26,13,13,13,0,0,0,13,0Zm0,24.56A11.56,11.56,0,1,1,24.56,13,11.58,11.58,0,0,1,13,24.56Z" fill="#f63" /></svg></a>

</body>
</html>